MyBB Community Forums

MyBB Community Forums > Development > Suggestions and Feedback > Login/Reset System Enhancement
Full Version: Login/Reset System Enhancement
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Zaqre

2018-11-17, 08:17 PM
The current system is simple:
  1. Type/Paste Username
  2. Type/Paste Password
  3. Login
Oh no.. Failed login:
  1. Type/Paste Username
  2. Type/Paste Password
  3. Login/Reset Password/Forgot Username
    • Temp password sent to email
Since the obvious isn't so obvious, we need to not dramatically change the system, just minor enhancements for security.

What I propose is we simplify the system:
  1. Type Username
  2. Type Password
  3. Login
Remove the ability to paste Usernames and Passwords, why?

How do most bot programs work? They paste in the username and password field(s), instead of typing out on the registration form, the program (bot) uses the registration form to generate input(s) that it can then paste into the forms.


If we force the bots to type all fields (Mainly login form) they can register, but not login because they are Pasting values instead of typing.
Another recommendation is to change how we "reset" passwords. Instead of sending new passwords, it should send an "Access Code" that expires in 15 minutes. Sort of like how Google makes you input a security code when logging into a new device. It keeps the password until an Access Code overrides it.

Click Reset Password -> Directed to Reset Page -> Type a verified e-mail address -> Send -> Code Sent to only a verified e-mail (Then they get redirected to a page that expires in 20 minutes ( 5 minutes to allow the system to process the request + 15 until the code expires))-> User Types their Username and Pass Code -> If code is valid -> Sent to page to type a new password -> If typed wrong 3 times, Session Expires and code is voided.
The main idea is to disable the ability to PASTE in any Registration Forms, Login fields or in the reset process, this will knock out a lot of botting issues until they can mimic "typing" instead of pasting values.

Euan T

2018-11-17, 09:56 PM
Disabling pasting into login/registration fields isn't going to happen. This would also prevent the use of password managers, which would be a bad idea.

The way you suggest for resetting passwords is basically the same as the current way, we just remove the need to manually type in a code. You can still manually type in the code I believe if the link fails to work for any weird reasons.

Zaqre

2018-11-17, 11:00 PM
Really Valid Point, did not think of that. Would it be better if we had a Login System like Google?

Enter User name (Forgot Username)-> Next

Enter Password (Forgot Password)-> Submit

VirusZero

2018-11-18, 04:14 AM
I'm not a fan of how google's new login works so I don't really see that as any kind of upgrade for MyBB.
I liked being able to just type my username and password on the same page. Was so much quicker to log in. Plus it just seems like extra complications and more room for something to go wrong to me. (Like an update accidentally hits the script to log in and breaks it or something and suddenly no one can log in...)

Wires

2018-11-18, 11:47 AM
I think the way MyBB handle it right now is fine. This just seems to over-complicate things.

Zaqre

2018-11-20, 03:16 PM
Would it be possible to create a dedicated login system that is then linked to MyBB, this could also be used for other features like multi site and third party integration

laie_techie

2018-11-20, 05:35 PM
I like not having an extra step between entering username and password. If that extra step is done incorrectly, it makes it easier to brute attack usernames instead of not knowing if the username or password failed.

As far as reset goes, I'd have to dig into MyBB's code to see what actually happens.

I'd like it this way:
1. Password reset token and password reset timeout fields get populated in the database (the password and salt fields remain unchanged)
2. An email is sent with a URL with that token already in place, but the token is also shown on its own for people who don't trust links in emails. Probably another link to report that you didn't request the password change
3. When the link to change passwords is followed and the correct token is provided, and new password is successfully set, then clear out the password reset token field in the db
4. Clicking on the link indicating the user didn't initiate the password change should clear the password reset fields and notify admin.
MyBB Community Forums > Development > Suggestions and Feedback > Login/Reset System Enhancement